{"result": {"zdt": [{"lastseen": "2016-04-20T00:53:29", "references": [], "description": "Revive Adserver versions 3.2.1 and below suffer from improper access controls, cross site request forgery, cross site scripting, local file inclusion, and various other vulnerabilities.", "edition": 1, "reporter": "Matteo Beccati", "published": "2015-10-08T00:00:00", "type": "zdt", "title": "Revive Adserver 3.2.1 Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7373", "CVE-2015-7368", "CVE-2015-7371", "CVE-2015-7367", "CVE-2015-7372", "CVE-2015-7366", "CVE-2015-7364", "CVE-2015-7370", "CVE-2015-7365", "CVE-2015-7369"], "modified": "2015-10-08T00:00:00", "href": "http://0day.today/exploit/description/24383", "id": "1337DAY-ID-24383", "sourceData": "========================================================================\r\nhttp://www.revive-adserver.com/security/revive-sa-2015-001\r\n========================================================================\r\nCVE-IDs: CVE-2015-7364, CVE-2015-7365, CVE-2015-7366,\r\n CVE-2015-7367, CVE-2015-7368, CVE-2015-7369,\r\n CVE-2015-7370, CVE-2015-7371, CVE-2015-7372,\r\n CVE-2015-7373\r\nDate: 2015-10-07\r\nRisk Level: Medium\r\nApplications affected: Revive Adserver\r\nVersions affected: <= 3.2.1\r\nVersions not affected: >= 3.2.2\r\nWebsite: http://www.revive-adserver.com/\r\n========================================================================\r\n\r\n\r\n========================================================================\r\nVulnerability 1 - Cross-Site Request Forgery (CSRF)\r\n========================================================================\r\nCVE-ID: CVE-2015-7364\r\nCWE-ID: CWE-352\r\nCVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\n========================================================================\r\n\r\nAbdullah Hussam Gazi discovered that the CSRF protection mechanism\r\nintroduced a few years ago to secure the forms generated with the\r\nHTML_Quickform library (most of the forms in Revive Adserver's admin\r\nUI) could be easily bypassed by sending an empty token along with the\r\nPOST data. The range of malicious actions includes, but is not limited\r\nto, modifying entities like banners and zones and altering preferences\r\nand settings.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7364\r\nhttp://cwe.mitre.org/data/definitions/352.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/288f81cc\r\n\r\n\r\n========================================================================\r\nVulnerability 2 - Reflected XSS\r\n========================================================================\r\nCVE-ID: CVE-2015-7365\r\nCWE-ID: CWE-79\r\nCVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\n========================================================================\r\n\r\nAbdullah Hussam Gazi has discovered that the plugin upgrade form was\r\nnot properly escaping filenames before displaying them when uploading\r\na file containing errors. Exploiting the vulnerability required a\r\nspecifically crafted multipart POST message.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7365\r\nhttp://cwe.mitre.org/data/definitions/79.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/b5848808\r\n\r\n\r\n========================================================================\r\nVulnerability 3 - Cross-Site Request Forgery (CSRF)\r\n========================================================================\r\nCVE-ID: CVE-2015-7366\r\nCWE-ID: CWE-532\r\nCVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\n========================================================================\r\n\r\nN B Sri Harsha has discovered that some plugin actions (e.g. enabling,\r\ndisabling) could be performed via GET without any CSRF protection\r\nmechanism. Successful CSRF attacks could potentially lead to service\r\ndisruptions in the case of core plugins being disabled. He also\r\ndiscovered that the account-user-*.php scripts were not checking the\r\nCSRF token sent via POST, allowing minor attacks, such as changing the\r\nvictim's contact name and language.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7366\r\nhttp://cwe.mitre.org/data/definitions/352.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/13d8181f\r\n\r\n\r\n========================================================================\r\nVulnerability 4 - Improper Access Control\r\n========================================================================\r\nCVE-ID: CVE-2015-7367\r\nCWE-ID: CWE-284\r\nCVSSv2: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)\r\n========================================================================\r\n\r\nN B Sri Harsha discovered that deleting or unlinking users with an\r\nactive session didn't have any effect until the session was expired,\r\npotentially allowing the users to perform undesired actions while such\r\nsessions were still active.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7367\r\nhttp://cwe.mitre.org/data/definitions/284.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/ccbd1cc5\r\n\r\n\r\n========================================================================\r\nVulnerability 5 - Information Exposure Through Browser Caching\r\n========================================================================\r\nCVE-ID: CVE-2015-7368\r\nCWE-ID: CWE-525\r\nCVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)\r\n========================================================================\r\n\r\nN B Sri Harsha has discovered that the cached copies of pages visited\r\nin Revive Adserver's admin UI were still reachable via the browser\r\nhistory after successfully logging out. This potentially allowed\r\nexposuse of sensitive information to unauthorised parties.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7368\r\nhttp://cwe.mitre.org/data/definitions/525.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/15aac363\r\nhttps://github.com/revive-adserver/revive-adserver/commit/c76f675d\r\n\r\n\r\n========================================================================\r\nVulnerability 6 - Overly Permissive Cross-domain Whitelist\r\n========================================================================\r\nCVE-ID: CVE-2015-7369\r\nCWE-ID: CWE-942\r\nCVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\n========================================================================\r\n\r\nSergey Markov has reported that the crossdomain.xml files shipped with\r\nRevive Adserver are overly permissive. On a default installation they\r\ncould in fact be exploited with malicious intents, e.g. to steal\r\nsession cookies.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7369\r\nhttp://cwe.mitre.org/data/definitions/942.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/4be0aa55\r\n\r\n\r\n========================================================================\r\nVulnerability 7 - Reflected XSS\r\n========================================================================\r\nCVE-ID: CVE-2015-7370\r\nCWE-ID: CWE-79\r\nCVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\n========================================================================\r\n\r\nSergey Markov has discovered that the open-flash-chart.swf file, used\r\nby the VideoAds plugin in Revive Adserver, was vulnerable to reflected\r\nXSS attacks on the id and data-file parameters. This file was included\r\nvia the third party LGPLv2 graphing library, Open Flash Chart 2, which\r\nappears to be currently unmaintained. The Revive Adserver team has\r\ntherefore decided to fix the vulnerabilities that had been reported\r\nand to publish a github repository for the library, containing its\r\nhistory and the vulnerability fixes, for the benefit of everyone else\r\nusing it:\r\n\r\nhttps://github.com/revive-adserver/open-flash-chart\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7370\r\nhttp://cwe.mitre.org/data/definitions/79.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/202eb15c\r\nhttps://github.com/revive-adserver/revive-adserver/commit/e9cda5a4\r\nhttps://github.com/revive-adserver/open-flash-chart/commit/0a181c56\r\n\r\n\r\n========================================================================\r\nVulnerability 8 - Improper Access Control\r\n========================================================================\r\nCVE-ID: CVE-2015-7371\r\nCWE-ID: CWE-284\r\nCVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)\r\n========================================================================\r\n\r\nKrzysztof K. Wasielewski reported that run-mpe.php, a script used by\r\nthe admin UI to asynchronously trigger a run of the Maintenance\r\nPriority Engine when necessary, was lacking proper authentication and\r\naccess control and could therefore be called by any third party.\r\nRunning maintenance is a resource intensive task, although a locking\r\nmechanism prevents it from being run multiple times concurrently;\r\nthus, run-mpe.php cannot be used alone for a resource exhaustion attack.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7371\r\nhttp://cwe.mitre.org/data/definitions/284.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/12cefa6f\r\n\r\n\r\n========================================================================\r\nVulnerability 9 - Local File Inclusion\r\n========================================================================\r\nCVE-ID: CVE-2015-7372\r\nCWE-ID: CWE-98\r\nCVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\n========================================================================\r\n\r\nKrzysztof K. Wasielewski reported that the layerstyle parameter in\r\nal.php was not properly sanitized, causing a potential LFI\r\nvulnerability. Under normal circumstances, an attacker would need to\r\nplace a file named layerstyle.inc.php in an arbitrary directory on the\r\nserver and craft the layerstyle parameter accordingly to load it. If\r\nan old version of PHP is being used the server, other attack\r\ntechniques might be possible, e.g. NULL-byte truncation.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7372\r\nhttp://cwe.mitre.org/data/definitions/98.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/86b623f8\r\nhttps://github.com/revive-adserver/revive-adserver/commit/c76f675d\r\n\r\n\r\n========================================================================\r\nVulnerability 10 - Reflected XSS (Cross-site scripting)\r\n========================================================================\r\nCVE-ID: CVE-2015-7373\r\nCWE-ID: CWE-79\r\nCVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\n========================================================================\r\n\r\nA feature called \"magic-macros\" in Revive Adserver allows dynamic data\r\nto be displayed in the banner output. There is a predefined set of\r\nsuch macros (e.g. {random}, {clickurl}, etc.), but the feature also\r\nallows the display of arbitrary GET parameters. A user reported that\r\nthe values coming from GET parameters were not properly escaped before\r\nbeing displayed, thus making banners using such magic-macros a\r\npotential vector for XSS attacks.\r\n\r\nReferences\r\n==========\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7373\r\nhttp://cwe.mitre.org/data/definitions/79.html\r\nhttps://github.com/revive-adserver/revive-adserver/commit/c40abff6\r\nhttps://github.com/revive-adserver/revive-adserver/commit/c76f675d\r\n\r\n\r\n========================================================================\r\nSolution\r\n========================================================================\r\n\r\nWe strongly advise people to upgrade to the most recent 3.2.2 release\r\nof Revive Adserver, including those running OpenX Source or older\r\nversions of the application.\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "http://0day.today/exploit/24383"}, {"lastseen": "2016-04-20T00:43:53", "references": [], "description": "Exploit for hardware platform in category dos / poc", "edition": 1, "reporter": "Tobias Engel", "published": "2009-01-01T00:00:00", "type": "zdt", "title": "Nokia S60 SMS/MMS (Curse of Silence) Denial of Service Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2009-01-01T00:00:00", "href": "http://0day.today/exploit/description/6700", "id": "1337DAY-ID-6700", "sourceData": "====================================================================\r\nNokia S60 SMS/MMS (Curse of Silence) Denial of Service Vulnerability \r\n====================================================================\r\n\r\n\r\n\r\n\r\n\r\nVulnerability Advisory\r\n======================\r\n\r\nRemote SMS/MMS Denial of Service - \"Curse Of Silence\"\r\nfor Nokia S60 phones\r\n\r\n\r\nURL\r\n===\r\n\r\nhttps://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt\r\n\r\n\r\nVideo\r\n=====\r\n\r\nhttps://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi\r\n\r\n\r\nAffected Products\r\n=================\r\n\r\nAll Nokia Series60 2.6, 2.8, 3.0, 3.1 devices, see detailed list at\r\nthe end of the document.\r\n\r\n\r\nRequirements to Execute Attack\r\n==============================\r\n\r\n- MSISDN of the target\r\n- mobile phone contract that allows sending of SMS messages\r\n- (almost) any Nokia phone (or some other means of sending SMS\r\n messages with TP-PID set to \"Internet Electronic Mail\")\r\n\r\n\r\nRisk Level\r\n==========\r\n\r\nMedium (for S60 2.8 and 3.1 devices): Target will not be able to\r\nreceive any SMS or MMS messages while the attack is ongoing. After\r\nthat, only very limited message receiving is possible until the device\r\nis Factory Resetted\r\n\r\nHigh (for S60 2.6 and 3.0 devices): Target will not be able to receive\r\nany SMS or MMS messages until the device is Factory Resetted\r\n\r\n\r\nSummary\r\n=======\r\n\r\nEmails can be sent via SMS by setting the messages Protocol Identifier\r\nto \"Internet Electronic Mail\" and formatting the message like this:\r\n\r\n<email-address><space><message body>\r\n\r\nIf such messages contain an <email-address> with more than 32\r\ncharacters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive\r\nother SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after\r\nonly one message, 2.8 and 3.1 devices after 11 messages.\r\n\r\n\r\nDetails\r\n=======\r\n\r\n3GPP TS 23.040 specifies a method for sending emails via SMS in\r\nsection 3.8 (\"SMS and Internet Electronic Mail interworking\"). In its\r\nmost basic form, such a SMS message starts with the from- (MT-SMS) or\r\nto-email-address (MO-SMS), followed by a space character, and then the\r\nmessage body. The TP-Procotol-Identifier of the SMS message has to be\r\nset to \"Internet Electronic Mail\" (value: 50 / 0x32).\r\n\r\nIt is not specified how such a message should be displayed when\r\nreceived by the phone. Before S60 2.6, Series60 devices displayed such\r\nmessages exactly as they were sent. Starting with S60 2.6, when the\r\npart of the message that should contain the from-address looks\r\nanything like an email address (i.e. it contains an \"@\" somewhere),\r\nthis address is then displayed as the message sender instead of the\r\nusually shown TP-Originating-Address.\r\n\r\nIf this email address is longer than 32 characters, Series60 2.6, 2.8,\r\n3.0 and 3.1 devices fail to display the message or give any indication\r\non the user interface that such a message has been received. They do,\r\nhowever, signal to the SMSC that they received the message by sending\r\nan RP-ACK.\r\n\r\nDevices running S60 2.6 or 3.0 will not be able to receive any other\r\nSMS message after that. The user interface does not give any\r\nindication of this situation. The only action to remedy this situation\r\nseems to be a Factory Reset of the device (by entering \"*#7370#\").\r\n\r\nDevices running S60 2.8 or 3.1 react a little different: They do not\r\nlock up until they received at least 11 SMS-email messages with an\r\nemail address that is longer than 32 characters. The device will not\r\nbe able to receive any other SMS message after that - upon receiving\r\nthe next message, the phone will just display a warning that there is\r\nnot enough memory to receive further messages and that data should be\r\ndeleted first. This message is even displayed on an otherwise\r\ncompletely \"empty\" device.\r\n\r\nAfter switching the phone off and on again, it has limited capability\r\nfor receiving SMS messages again: If it receives a SMS message that is\r\nsplit up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated\r\nShort Messages) it is only able to receive the first part and will\r\ndisplay the \"not enough memory\" warning again. After powercycling the\r\ndevice again, it can then receive the second part. If there is a third\r\npart, it has to be powercycled again, and so on.\r\n\r\nAlso, an attacker now just needs to send one more \"Curse Of Silence\"\r\nmessage to lock the phone up again. By always sending yet another one\r\nas soon as the status report for delivery of the previous message is\r\nreceived, the attacker could completely prevent a target from\r\nreceiving any other SMS/MMS messages.\r\n\r\nOnly Factory Resetting the device will restore its full message\r\nreceiving capabilities. Note that, if a backup is made using Nokia\r\nPC-Suite *after* being attacked, the blocking messages are also\r\nbackuped and will be sent to the device again when restoring the\r\nbackup after the Factory Reset.\r\n\r\nNote that not being able to receive SMS messages also means not being\r\nable to receive MMS messages, since they are signalled by sending an\r\nSMS message to the device.\r\n\r\n\"Curse Of Silence\" messages can be generated with any phone or\r\ncellular modem that supports 3GPP TS 27.005 AT commands and with most\r\nNokia phones also directly from the user interface. For example, on\r\nS60 devices, when in the message editor, the type of the message can\r\nbe switched to \"E-mail\" under \"Options\" -> \"Sending options\" ->\r\n\"Message sent as\". The 6310i conveniently offers a \"Write email\" menu\r\nentry in the messaging menu.\r\n\r\nThe simplest form of content for a Curse Of Silence would be something\r\nlike \"123456789@123456789.1234567890123 \" (the digits are used only to\r\nillustrate the length of the \"email address\" of more than 32\r\ncharacters). Note the space at the end of the message!\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nNone known for the user side.\r\n\r\nUntil a firmware fix is available, network operators should filter\r\nmessages with TP-PID \"Internet Electronic Mail\" and an email address\r\nof more than 32 characters or reset the TP-PID of these messages to 0.\r\n\r\n\r\nCredits\r\n=======\r\n\r\nTobias Engel <tobias@ccc.de>\r\nNovember 9, 2008\r\n\r\nMany thanks to Frank Rieger for spending countless hours cutting and\r\nediting the video.\r\n\r\n\r\nDetailed List of Affected Products\r\n==================================\r\n\r\nTested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable\r\ncomponent is a S60 base functionality, it seems safe to assume that\r\nall devices with these OS versions are affected.\r\n\r\nS60 3rd Edition, Feature Pack 1 (S60 3.1):\r\nNokia E90 Communicator\r\nNokia E71\r\nNokia E66\r\nNokia E51 \r\nNokia N95 8GB\r\nNokia N95\r\nNokia N82\r\nNokia N81 8GB\r\nNokia N81\r\nNokia N76\r\nNokia 6290\r\nNokia 6124 classic\r\nNokia 6121 classic\r\nNokia 6120 classic\r\nNokia 6110 Navigator\r\nNokia 5700 XpressMusic\r\n\r\nS60 3rd Edition, initial release (S60 3.0):\r\nNokia E70\r\nNokia E65\r\nNokia E62\r\nNokia E61i\r\nNokia E61\r\nNokia E60\r\nNokia E50\r\nNokia N93i\r\nNokia N93\r\nNokia N92\r\nNokia N91 8GB\r\nNokia N91\t\r\nNokia N80\r\nNokia N77\r\nNokia N73\r\nNokia N71\r\nNokia 5500\r\nNokia 3250\r\n\r\nS60 2nd Edition, Feature Pack 3 (S60 2.8):\r\nNokia N90\r\nNokia N72\r\nNokia N70\r\n\r\nS60 2nd Edition, Feature Pack 2 (S60 2.6):\r\nNokia 6682\r\nNokia 6681\r\nNokia 6680\r\nNokia 6630\r\n\r\n\r\nChange History\r\n==============\r\n\r\nDecember 30, 2008:\r\nRemoved auth details since they are no longer required\r\n\r\nDecember 21, 2008:\r\nCorrected version numbers for S60 2nd Edition\r\n\r\nDecember 13, 2008:\r\nS60 2.8 devices react like S60 3.1 devices, not like S60 2.6 or 3.0\r\ndevices\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/6700"}]}}